Everything about security

h3rcul35 and starlord were having a heated conversation and to c00l down the furious starlord, h3rcul35 gave him a binary and said “The binary takes each ‘character’ byte of the flag as argument. Given this info, grab the flag. I hope you dont get angry :P”. Show h3rcul35 that you stayed c00l by finding the flag.

The binary starts with assigning the number of arguments to [rbp+var_44] and the address of the argument array to [rbp+_var50]. Next, it checks whether the number of arguments is equal to 31. Since the first argument is the program’s file name, remaining 30 arguments are the characters of our flag. If the program doesn’t have exactly 31 arguments, then it terminates with exit code 1. Otherwise, it goes to 0x40081F. Let’s check what’s there.

We encounter a loop which iterates through the arguments and copy them into another array which starts at [rbp+var_30]. Let’s give a name to that array to make it easier to understand the following parts. I will call it as flag since it contains the bytes of the flag.

After exiting the loop, the binary checks if the equation flag[0] + flag[1] ‑ flag[2] = 0x51 holds. If so, it moves on to the next part. Otherwise, it terminates. Let’s continue following the right path.

1

2

3

4

5

6

7

8

9

10

.text:0000000000400882movzxeax,[rbp+var_30]

.text:0000000000400886movsxedx,al

.text:0000000000400889movzxeax,[rbp+var_2F]

.text:000000000040088Dmovsxeax,al

.text:0000000000400890subedx,eax

.text:0000000000400892movzxeax,[rbp+var_2E]

.text:0000000000400896movsxeax,al

.text:0000000000400899addeax,edx

.text:000000000040089Bcmpeax,35h

.text:000000000040089Ejnzloc_400D5F

Here, we have another equation as flag[0] ‑ flag[1] + flag[2] = 0x35. If the equation does not hold, it terminates. Keep following the right path.

1

2

3

4

5

6

7

8

9

10

.text:00000000004008A4movzxeax,[rbp+var_2F]

.text:00000000004008A8movsxedx,al

.text:00000000004008ABmovzxeax,[rbp+var_30]

.text:00000000004008AFmovsxeax,al

.text:00000000004008B2subedx,eax

.text:00000000004008B4movzxeax,[rbp+var_2E]

.text:00000000004008B8movsxeax,al

.text:00000000004008BBaddeax,edx

.text:00000000004008BDcmpeax,57h

.text:00000000004008C0jnzloc_400D58

Oh, there is another equation! This one is flag[1] ‑ flag[0] + flag[2] = 0x37. So far, we have 3 different variables and 3 different equations which is solvable. In other words, we know the first 3 characters of the flag already! Let’s look at the rest of the code.

Which is exactly the same pattern and also solvable. The rest is similar. We can use angr or z3 to solve this challange, but I’m an oldschool guy who does his stuff manually(at least for now). Therefore, I created the following python script to solve the challange.